Discussion:
0-day "vulnerability"
(too old to reply)
wmsecurity
2010-10-28 16:17:25 UTC
Permalink
The term "0-day vulnerability" usually refers to a currently unpatched security
issue in some specific product. The availability of an exploit, public or not,
is optional in this case. That's why both terms have the right to exist.
Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit)  Also, by definition, a 0-day no longer exists the moment it
is announced ;)
For once and for all: There is no such thing as a "zero-day
vulnerability" (quoted), only a 0-day exploit...
Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Curt Purdy
2010-10-28 16:31:34 UTC
Permalink
OK, good points.

And since my mac dictionary widget doesn't have the term yet, I vote
for "0day dis" It has a nice ring to it ;)

Curt
Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited.
I would suggest " 0 day disclosure" instead of "0 day vulnerability" :)
------Original Message------
From: Curt Purdy
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM
Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit)  Also, by definition, a 0-day no longer exists the moment it
is announced ;)
For once and for all: There is no such thing as a "zero-day
vulnerability" (quoted), only a 0-day exploit...
Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sent from BlackBerry® on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Thor (Hammer of God)
2010-10-28 16:35:33 UTC
Permalink
None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time "0 day vulnerability" then so what.

The industry can't (and won't) even come up with what "Remote Code Execution" really means, so trying to standardize disclosure nomenclature is a waste of time IMO.
t
-----Original Message-----
Sent: Thursday, October 28, 2010 9:25 AM
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Yep. Totally agree. Vulnerability exists in the system since it has been
developed. It is just the matter when it has been disclosed or being exploited.
I would suggest " 0 day disclosure" instead of "0 day vulnerability" :)
------Original Message------
From: Curt Purdy
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM
Sorry to rant, but I have seen this term used once too many times to sit idly
by. And used today by what I once thought was a respectable infosec
publication (that will remain nameless) while referring to the current Firefox
vulnerability (that did, by the way, once have a 0-day
sploit) Also, by definition, a 0-day no longer exists the moment it is
announced ;)
For once and for all: There is no such thing as a "zero-day vulnerability"
(quoted), only a 0-day exploit...
Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sent from BlackBerry(r) on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Curt Purdy
2010-10-28 16:50:34 UTC
Permalink
Right as usual t-man, but while we are doing F&Ws job for them,
"Remote code execution" is: any program you can run on a machine you
can't touch (for further explanation, "man touch").

Curt



On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
None of this really matters.  People will call it whatever they want to.  Generally, all software has some sort of vulnerability.  If they want to call the process of that vulnerability being communicated for the first time "0 day vulnerability" then so what.
The industry can't (and won't) even come up with what "Remote Code Execution" really means, so trying to standardize disclosure nomenclature is a waste of time IMO.
t
-----Original Message-----
Sent: Thursday, October 28, 2010 9:25 AM
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Yep. Totally agree. Vulnerability exists in the system since it has been
developed. It is just the matter when it has been disclosed or being exploited.
I would suggest " 0 day disclosure" instead of "0 day vulnerability" :)
------Original Message------
From: Curt Purdy
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM
Sorry to rant, but I have seen this term used once too many times to sit idly
by. And used today by what I once thought was a respectable infosec
publication (that will remain nameless) while referring to the current Firefox
vulnerability (that did, by the way, once have a 0-day
sploit)  Also, by definition, a 0-day no longer exists the moment it is
announced ;)
For once and for all: There is no such thing as a "zero-day vulnerability"
(quoted), only a 0-day exploit...
Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sent from BlackBerry(r) on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Thor (Hammer of God)
2010-10-28 17:14:46 UTC
Permalink
I would further define it as "code that can be run on a machine remotely without any human interaction." What I think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make their discoveries or processes "cool" and just stick to the facts. Vendors want to downplay vulnerabilities, disclosures want it to sound as bad as it can be. That's why we have people describing a user following a link in an email to download something from their site to be subsequently executed as "Remote Code Execution" that is "Moderately Critical" as if there are actually varying degrees of "Critical."

The same holds true for quantifying "likelihood of exploitation" as "high" based on what researchers call "extremely common deployment environments in many businesses" when they are actually inferring what they THINK is common based on what two of their 5-10 workstation clients are doing with XP peer-to-peer configurations.

I think that the only people really paying any attention to this are other researchers, who basically ignore what other people call something - this doesn't really benefit the "user." People want the "vulnerability" they "discover" to be awesome and cool and critical because it substantiates their egos. For now, preceding anything with "0-day" is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become desensitized to that as well.

t
-----Original Message-----
Sent: Thursday, October 28, 2010 9:51 AM
To: Thor (Hammer of God)
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Right as usual t-man, but while we are doing F&Ws job for them, "Remote
code execution" is: any program you can run on a machine you can't touch (for
further explanation, "man touch").
Curt
On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
None of this really matters.  People will call it whatever they want
to.  Generally, all software has some sort of vulnerability.  If they want to call
the process of that vulnerability being communicated for the first time "0 day
vulnerability" then so what.
The industry can't (and won't) even come up with what "Remote Code
Execution" really means, so trying to standardize disclosure nomenclature is a
waste of time IMO.
t
-----Original Message-----
Sent: Thursday, October 28, 2010 9:25 AM
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Yep. Totally agree. Vulnerability exists in the system since it has
been developed. It is just the matter when it has been disclosed or being
exploited.
I would suggest " 0 day disclosure" instead of "0 day vulnerability" :)
------Original Message------
From: Curt Purdy
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM
Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit)  Also, by definition, a 0-day no longer exists the moment it
is announced ;)
For once and for all: There is no such thing as a "zero-day vulnerability"
(quoted), only a 0-day exploit...
Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sent from BlackBerry(r) on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Curt Purdy
2010-10-28 18:05:47 UTC
Permalink
Along the same lines, from DHS to Symantec, the threat level is always
"Elevated". So yellow is now the new green. I think ISS (IBM now) is
one of the few that leave their alert level at "1" until there is
really a "2-4" situation to deal with. I don't need more stress in my
day than the crackers already provide...

Of course, I know keeping things in perspective are hard these days,
i.e. I was reading the Washington Post on the Metro this morning,
looking at a map of the four stations that al-Qaeda planned to bomb,
as I passed all four of them. I would say my PTL (Personal Threat
Level) is red.

BTW Hammer, I think of is an OK middle name, but I think your last
name is a little presumptuous ;)

Curt



On Thu, Oct 28, 2010 at 1:14 PM, Thor (Hammer of God)
I would further define it as "code that can be run on a machine remotely without any human interaction."   What I think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make their discoveries or processes "cool" and just stick to the facts.  Vendors want to downplay vulnerabilities, disclosures want it to sound as bad as it can be.  That's why we have people describing a user following a link in an email to download something from their site to be subsequently executed as "Remote Code Execution" that is "Moderately Critical" as if there are actually varying degrees of "Critical."
The same holds true for quantifying "likelihood of exploitation" as "high" based on what researchers call "extremely common deployment environments in many businesses" when they are actually inferring what they THINK is common based on what two of their 5-10 workstation clients are doing  with XP peer-to-peer configurations.
I think that the only people really paying any attention to this are other researchers, who basically ignore what other people call something - this doesn't really benefit the "user."  People want the "vulnerability" they "discover" to be awesome and cool and critical because it substantiates their egos.  For now, preceding anything with "0-day" is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become desensitized to that as well.
t
-----Original Message-----
Sent: Thursday, October 28, 2010 9:51 AM
To: Thor (Hammer of God)
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Right as usual t-man, but while we are doing F&Ws job for them, "Remote
code execution" is: any program you can run on a machine you can't touch (for
further explanation, "man touch").
Curt
On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
None of this really matters.  People will call it whatever they want
to.  Generally, all software has some sort of vulnerability.  If they want to call
the process of that vulnerability being communicated for the first time "0 day
vulnerability" then so what.
The industry can't (and won't) even come up with what "Remote Code
Execution" really means, so trying to standardize disclosure nomenclature is a
waste of time IMO.
t
-----Original Message-----
Sent: Thursday, October 28, 2010 9:25 AM
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Yep. Totally agree. Vulnerability exists in the system since it has
been developed. It is just the matter when it has been disclosed or being
exploited.
I would suggest " 0 day disclosure" instead of "0 day vulnerability" :)
------Original Message------
From: Curt Purdy
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM
Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit)  Also, by definition, a 0-day no longer exists the moment it
is announced ;)
For once and for all: There is no such thing as a "zero-day vulnerability"
(quoted), only a 0-day exploit...
Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sent from BlackBerry(r) on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Christian Sciberras
2010-10-28 21:56:09 UTC
Permalink
Well, you know how it is, we all love calling bugs "information
security vulnerability exploits" (pick any combo).
It just there's a new one in the club, 0day. They're as much realistic
as "flying elephants" can get.

The good thing is, their use (in mail subjects) is often an indication
of (a lack of) seriousness...making emails easier to ignore.

Anywho, it really ain't unexpected social behavior, they're all
hackers/pwners, no? Complaining won't do much!


Cheers,
Chris.
Post by Curt Purdy
Along the same lines, from DHS to Symantec, the threat level is always
"Elevated". So yellow is now the new green. I think ISS (IBM now) is
one of the few that leave their alert level at "1" until there is
really a "2-4" situation to deal with. I don't need more stress in my
day than the crackers already provide...
Of course, I know keeping things in perspective are hard these days,
i.e. I was reading the Washington Post on the Metro this morning,
looking at a map of the four stations that al-Qaeda planned to bomb,
as I passed all four of them. I would say my PTL (Personal Threat
Level) is red.
BTW Hammer, I think of is an OK middle name, but I think your last
name is a little presumptuous ;)
Curt
On Thu, Oct 28, 2010 at 1:14 PM, Thor (Hammer of God)
I would further define it as "code that can be run on a machine remotely without any human interaction."   What I think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make their discoveries or processes "cool" and just stick to the facts.  Vendors want to downplay vulnerabilities, disclosures want it to sound as bad as it can be.  That's why we have people describing a user following a link in an email to download something from their site to be subsequently executed as "Remote Code Execution" that is "Moderately Critical" as if there are actually varying degrees of "Critical."
The same holds true for quantifying "likelihood of exploitation" as "high" based on what researchers call "extremely common deployment environments in many businesses" when they are actually inferring what they THINK is common based on what two of their 5-10 workstation clients are doing  with XP peer-to-peer configurations.
I think that the only people really paying any attention to this are other researchers, who basically ignore what other people call something - this doesn't really benefit the "user."  People want the "vulnerability" they "discover" to be awesome and cool and critical because it substantiates their egos.  For now, preceding anything with "0-day" is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become desensitized to that as well.
t
-----Original Message-----
Sent: Thursday, October 28, 2010 9:51 AM
To: Thor (Hammer of God)
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Right as usual t-man, but while we are doing F&Ws job for them, "Remote
code execution" is: any program you can run on a machine you can't touch (for
further explanation, "man touch").
Curt
On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
None of this really matters.  People will call it whatever they want
to.  Generally, all software has some sort of vulnerability.  If they want to call
the process of that vulnerability being communicated for the first time "0 day
vulnerability" then so what.
The industry can't (and won't) even come up with what "Remote Code
Execution" really means, so trying to standardize disclosure nomenclature is a
waste of time IMO.
t
-----Original Message-----
Sent: Thursday, October 28, 2010 9:25 AM
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Yep. Totally agree. Vulnerability exists in the system since it has
been developed. It is just the matter when it has been disclosed or being
exploited.
I would suggest " 0 day disclosure" instead of "0 day vulnerability" :)
------Original Message------
From: Curt Purdy
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM
Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit)  Also, by definition, a 0-day no longer exists the moment it
is announced ;)
For once and for all: There is no such thing as a "zero-day vulnerability"
(quoted), only a 0-day exploit...
Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sent from BlackBerry(r) on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Josey Yelsef
2010-10-29 01:03:45 UTC
Permalink
0-day is a scene word. Connotations are inferred, you're more precise definition is pretty much what people already assume.

Desensitization to security is a serious issue also. Look at homeland security's warning level system. Look at the news of deaths in Iraq and Afghanistan. It's boring as looking up at the blue sky.

--- On Thu, 10/28/10, Thor (Hammer of God) <***@hammerofgod.com> wrote:

From: Thor (Hammer of God) <***@hammerofgod.com>
Subject: Re: [Full-disclosure] 0-day "vulnerability"
To: "Curt Purdy" <***@gmail.com>, "Thor (Hammer of God)" <***@hammerofgod.com>
Cc: "full-***@lists.grok.org.uk" <full-***@lists.grok.org.uk>, "full-disclosure-***@lists.grok.org.uk" <full-disclosure-***@lists.grok.org.uk>
Date: Thursday, October 28, 2010, 5:14 PM

I would further define it as "code that can be run on a machine remotely without any human interaction."   What I think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make their discoveries or processes "cool" and just stick to the facts.  Vendors want to downplay vulnerabilities, disclosures want it to sound as bad as it can be.  That's why we have people describing a user following a link in an email to download something from their site to be subsequently executed as "Remote Code Execution" that is "Moderately Critical" as if there are actually varying degrees of "Critical." 

The same holds true for quantifying "likelihood of exploitation" as "high" based on what researchers call "extremely common deployment environments in many businesses" when they are actually inferring what they THINK is common based on what two of their 5-10 workstation clients are doing  with XP peer-to-peer configurations. 

I think that the only people really paying any attention to this are other researchers, who basically ignore what other people call something - this doesn't really benefit the "user."  People want the "vulnerability" they "discover" to be awesome and cool and critical because it substantiates their egos.  For now, preceding anything with "0-day" is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become desensitized to that as well.

t
-----Original Message-----
Sent: Thursday, October 28, 2010 9:51 AM
To: Thor (Hammer of God)
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Right as usual t-man, but while we are doing F&Ws job for them, "Remote
code execution" is: any program you can run on a machine you can't touch (for
further explanation, "man touch").
Curt
On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
None of this really matters.  People will call it whatever they want
to.  Generally, all software has some sort of vulnerability.  If they want to call
the process of that vulnerability being communicated for the first time "0 day
vulnerability" then so what.
The industry can't (and won't) even come up with what "Remote Code
Execution" really means, so trying to standardize disclosure nomenclature is a
waste of time IMO.
t
-----Original Message-----
Sent: Thursday, October 28, 2010 9:25 AM
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Yep. Totally agree. Vulnerability exists in the system since it has
been developed. It is just the matter when it has been disclosed or being
exploited.
I would suggest " 0 day disclosure" instead of "0 day vulnerability" :)
------Original Message------
From: Curt Purdy
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM
Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit)  Also, by definition, a 0-day no longer exists the moment it
is announced ;)
For once and for all: There is no such thing as a "zero-day vulnerability"
(quoted), only a 0-day exploit...
Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sent from BlackBerry(r) on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Cal Leeming [Simplicity Media Ltd]
2010-10-29 02:23:57 UTC
Permalink
Yeah, just for the record, this thread is now hitting google spam filters :S
Post by Josey Yelsef
0-day is a scene word. Connotations are inferred, you're more precise
definition is pretty much what people already assume.
Desensitization to security is a serious issue also. Look at homeland
security's warning level system. Look at the news of deaths in Iraq and
Afghanistan. It's boring as looking up at the blue sky.
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Date: Thursday, October 28, 2010, 5:14 PM
I would further define it as "code that can be run on a machine remotely
without any human interaction." What I think would be ultimately effective
is if researches and those who make disclosure announcements quit trying to
make their discoveries or processes "cool" and just stick to the facts.
Vendors want to downplay vulnerabilities, disclosures want it to sound as
bad as it can be. That's why we have people describing a user following a
link in an email to download something from their site to be subsequently
executed as "Remote Code Execution" that is "Moderately Critical" as if
there are actually varying degrees of "Critical."
The same holds true for quantifying "likelihood of exploitation" as "high"
based on what researchers call "extremely common deployment environments in
many businesses" when they are actually inferring what they THINK is common
based on what two of their 5-10 workstation clients are doing with XP
peer-to-peer configurations.
I think that the only people really paying any attention to this are other
researchers, who basically ignore what other people call something - this
doesn't really benefit the "user." People want the "vulnerability" they
"discover" to be awesome and cool and critical because it substantiates
their egos. For now, preceding anything with "0-day" is a way of invoking
fear and urgency as if it represents some immanent disaster, but soon people
will become desensitized to that as well.
t
-----Original Message-----
]
Sent: Thursday, October 28, 2010 9:51 AM
To: Thor (Hammer of God)
full-
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Right as usual t-man, but while we are doing F&Ws job for them, "Remote
code execution" is: any program you can run on a machine you can't touch
(for
further explanation, "man touch").
Curt
On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
Post by Thor (Hammer of God)
None of this really matters. People will call it whatever they want
to. Generally, all software has some sort of vulnerability. If they want
to call
the process of that vulnerability being communicated for the first time "0
day
vulnerability" then so what.
Post by Thor (Hammer of God)
The industry can't (and won't) even come up with what "Remote Code
Execution" really means, so trying to standardize disclosure nomenclature
is a
waste of time IMO.
Post by Thor (Hammer of God)
t
-----Original Message-----
On Behalf Of
Post by Thor (Hammer of God)
Sent: Thursday, October 28, 2010 9:25 AM
full-
Post by Thor (Hammer of God)
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Yep. Totally agree. Vulnerability exists in the system since it has
been developed. It is just the matter when it has been disclosed or
being
exploited.
Post by Thor (Hammer of God)
I would suggest " 0 day disclosure" instead of "0 day vulnerability" :)
------Original Message------
From: Curt Purdy
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM
Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit) Also, by definition, a 0-day no longer exists the moment it
is announced ;)
For once and for all: There is no such thing as a "zero-day
vulnerability"
Post by Thor (Hammer of God)
(quoted), only a 0-day exploit...
Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sent from BlackBerry(r) on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
***@simplicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: ****@simplicitymedialtd.co.uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
Tyler Borland
2010-10-29 17:56:59 UTC
Permalink
I think it's getting ridiculous. Who cares about bureaucratical terms? I
find more and more 'researchers' trying to just be auditors and categorize
exploits and try to follow some kind of universal naming convention for
exploits that doesn't exist and shouldn't exist. I'd rather see information
on exploits and interesting ways to use them than saying it's one type or
the other.

This 'scene' is not about politics and terminology for me.
LMAO!!
Regards;
w0lf
www.maestro-sec.com
-- sent from BlackBerry --
-----Original Message-----
From: "Cal Leeming [Simplicity Media Ltd]"
Date: Fri, 29 Oct 2010 03:23:57
Subject: Re: [Full-disclosure] 0-day "vulnerability"
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Cal Leeming [Simplicity Media Ltd]
2010-10-29 17:58:55 UTC
Permalink
I couldn't agree more.
Post by Tyler Borland
I think it's getting ridiculous. Who cares about bureaucratical terms? I
find more and more 'researchers' trying to just be auditors and categorize
exploits and try to follow some kind of universal naming convention for
exploits that doesn't exist and shouldn't exist. I'd rather see information
on exploits and interesting ways to use them than saying it's one type or
the other.
This 'scene' is not about politics and terminology for me.
LMAO!!
Regards;
w0lf
www.maestro-sec.com
-- sent from BlackBerry --
-----Original Message-----
From: "Cal Leeming [Simplicity Media Ltd]"
Date: Fri, 29 Oct 2010 03:23:57
Subject: Re: [Full-disclosure] 0-day "vulnerability"
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
***@simplicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: ****@simplicitymedialtd.co.uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
Marsh Ray
2010-10-29 19:25:44 UTC
Permalink
Post by Tyler Borland
I think it's getting ridiculous. Who cares about bureaucratical terms?
I agree that the term "0-day" does not have universal agreement on its
meaning, so its use can be a sign of having too few sources of
information. But still, I think it can be useful. For example:

"The Stuxnet developers clearly had resources at their disposal because
they were willing to burn four Windows 0-days and two code signing certs
for the attack."

In that case we know what "0-day" means: an exploit the attacker can use
at his option without any advance warning to the defender. A sneak
attack, "unfair" to the defender (to the extent he was hoping the
attacker to play fair).
Post by Tyler Borland
I find more and more 'researchers' trying to just be auditors and
categorize exploits and try to follow some kind of universal naming
convention for exploits that doesn't exist and shouldn't exist.
I find myself using the technical term "pwned" quite regularly in
professional discussions. It conveys a certain meaning that I don't is
captured as well by any other terms.

To me it conveys:

1. There is a significant vulnerability present in the target system

2. The attacker has already exploited this vulnerability, or is presumed
to have the ability to exploit it

3. A successful exploit represents a near-total compromise of a critical
protected resource, or it can likely be leveraged into it.

4. A successful exploit invalidates such fundamental assumptions of the
system's security model that it's probably not useful to try to reason
about distinctions in "degrees of pwnage".

5. The fact that the spell-checker doesn't recognize the term, even
though it has been in usage for many years now, should serve as a
reminder that the attacker specializes in putting systems in ambiguous
situations and causing them fail in unanticipated ways.

6. The speaker is not going to sugar coat the truth in politically-
(or even grammatically-) correct terminology.
Post by Tyler Borland
I'd
rather see information on exploits and interesting ways to use them than
saying it's one type or the other.
This 'scene' is not about politics and terminology for me.
I think once you have more than a handful of different and interesting
things, a terminology must emerge in order to be able to discuss them.

But whether or not the terminology which emerges is descriptive,
clearly-defined, agreed-upon, or the subject is becoming overly
political, are all another matter!

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Michal Zalewski
2010-10-28 22:02:26 UTC
Permalink
For once and for all: There is no such thing as a "zero-day
vulnerability" (quoted), only a 0-day exploit...
Cool story, bro.

Any thoughts on the use of the term "hacker"?

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Cal Leeming [Simplicity Media Ltd]
2010-10-28 22:12:08 UTC
Permalink
I lol'd at this thread.
Post by Michal Zalewski
For once and for all: There is no such thing as a "zero-day
vulnerability" (quoted), only a 0-day exploit...
Cool story, bro.
Any thoughts on the use of the term "hacker"?
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
***@simplicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: ****@simplicitymedialtd.co.uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
Josey Yelsef
2010-10-29 00:04:27 UTC
Permalink
Great way to split hairs.  Fumbling between metaphors, you're better off contacting Merriam-Webster.

--- On Thu, 10/28/10, Michal Zalewski <***@coredump.cx> wrote:

From: Michal Zalewski <***@coredump.cx>
Subject: Re: [Full-disclosure] 0-day "vulnerability"
To: "Curt Purdy" <***@gmail.com>
Cc: full-***@lists.grok.org.uk
Date: Thursday, October 28, 2010, 10:02 PM
For once and for all: There is no such thing as a "zero-day
vulnerability" (quoted), only a 0-day exploit...
Cool story, bro.

Any thoughts on the use of the term "hacker"?

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Akhthar Parvez K
2010-10-28 16:58:15 UTC
Permalink
The term "0-day (or zero-day)" means the action has been done very quickly even without giving the developer enough time to fix the vulnerability of the software in question. Some commonly used terms are 0-day attack, 0-day exploit etc. So if you take that into context, the terms like "0-day vulnerability" or "0-day disclosure" are technically incorrect, IMHO.

I would like to define it like this:

"0-day x" where not all x are 0-days.

Arguments welcome :-)
--
Regards,
Akhthar Parvez K
http://www.sysadminguide.com/
UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity - Dennis Ritchie
Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited.
I would suggest " 0 day disclosure" instead of "0 day vulnerability" :)
------Original Message------
From: Curt Purdy
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM
Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit) Also, by definition, a 0-day no longer exists the moment it
is announced ;)
For once and for all: There is no such thing as a "zero-day
vulnerability" (quoted), only a 0-day exploit...
Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sent from BlackBerry® on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Regards,
Akhthar Parvez K
http://www.sysadminguide.com/
UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity - Dennis Ritchie

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Jubei Trippataka
2010-10-29 01:03:06 UTC
Permalink
zero day can happen to anyone.
--
ciao

JT
Josey Yelsef
2010-10-29 01:18:35 UTC
Permalink
Are you threatening the internet?

--- On Fri, 10/29/10, Jubei Trippataka <***@gmail.com> wrote:

From: Jubei Trippataka <***@gmail.com>
Subject: Re: [Full-disclosure] 0-day "vulnerability"
To: "Curt Purdy" <***@gmail.com>
Cc: full-***@lists.grok.org.uk
Date: Friday, October 29, 2010, 1:03 AM

zero day can happen to anyone.
--
ciao

JT


-----Inline Attachment Follows-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Benji
2010-10-29 01:27:35 UTC
Permalink
clearly sir, you are uneducated.


Post by Josey Yelsef
Are you threatening the internet?
Subject: Re: [Full-disclosure] 0-day "vulnerability"
Date: Friday, October 29, 2010, 1:03 AM
zero day can happen to anyone.
--
ciao
JT
-----Inline Attachment Follows-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Loading...